Re: SPAM is not a big deal if you are getting only SPAM
Sorry for jumping in on that thread late ... We were affected by this "storm" (mass relaying though CZ servers) as they abuse two domains of customers of ours, for which we do backup MX. When the inject started the primary MX gave up quickly and we'd got all the bounces. Fortunately - as far as we were involved - the SENDER address, where the bounces should go to, could easily be masked out with the badrcptpatterns file, putting [lL][Mm][Tt][Dd][0-9]-[Bb][Aa][Nn][Kk]@* [lL][Mm][Tt][Dd][0-9][0-9]-[Bb][Aa][Nn][Kk]@* in this file (the pattern was LMTD-num-BANK@domain. I know this is kinda unfriendly, as msn, yahoo, ... got double bounces but that was the only way to keep our mailserver operational. During thast whole thing I noticed another problem realted to Lotus Notes mail servers *sigh* (we could not confirm whether this is a configuration error or a bug). As - of course - the address does not exist Lotus did something wierd. What should have resulted in a double bounce at the Lotus site did not. Instead the Lotus server saw a Envelope-Sender and decided to take the address from the "From:" Line and tried to bounce back the bounce to [EMAIL PROTECTED], [EMAIL PROTECTED], ... as we are outgoing relay for that Lotus Server our mailserver was additionally hit by the (double) bounces *argh*. As yahoo sends out bounces with a From: [EMAIL PROTECTED] but that is a non existing account I then got the resulting double bounce in my postmaster box *BIG ARGH* I patched qmail-smtpd to make use of a "badbouncercpt" file. If the message is a bounce and the user or user@domain is in the "badbouncercpt" we do not accept the message. Currently our "badbouncercpt" file contains mailerdaemon mailer-daemon mail-daemon [EMAIL PROTECTED] [EMAIL PROTECTED] After that modifications our mailserver still was at rather high load but could stand it. Life could be much more easier by cutting off the fingers of mailserver "programmers" who don't have a clue and writing a virus that deletes all incarnations and source code of their programs ... \Maex -- SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake Research Development| mailto:[EMAIL PROTECTED] | up screaming and you Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0| realize you haven't D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
Re: SPAM is not a big deal if you are getting only SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Oct 2000, at 16:01, [EMAIL PROTECTED] wrote: Problems should be sent first to the client ISP, if available from headers, and if not, to [EMAIL PROTECTED] sarcasm Thanks for the advice. /sarcasm In that case, you might want to ask what happened to report BBN-DDQV54204. I haven't heard a word from bbn.com, except the automatic ticket. I did report it more than a week ago, at the moment the first double bounce appeared in my mailbox. -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA+AwUBOdwjvVMwP8g7qbw/EQJB1QCWNXcLWrpT84noQpY75yVfmHRZtACgnDve 5eRD7fmlDwRmKb6UnbAh1EY= =OILh -END PGP SIGNATURE- -- Petr Novotny, ANTEK CS [EMAIL PROTECTED] http://www.antek.cz PGP key ID: 0x3BA9BC3F -- Don't you know there ain't no devil there's just God when he's drunk. [Tom Waits]
Re: SPAM is not a big deal if you are getting only SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Oct 2000, at 19:45, OK 2 NET - Andr Paulsberg wrote: Block them with ORBS ;D You don't get it. I got most of the bounces from yahoo.com, msn.com, aol.com, excite.com etc. Those machines are *not* open relays; they tried to deliver mail for local users, and then bounced the undeliverable messages back (to me, sadly). -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBOdwqkFMwP8g7qbw/EQLidACfXlnYmuToE5vv9PxLzfQM1WyCExoAn0Ry tW2zC4mzBWY/zp9JJqHpX1V6 =dx83 -END PGP SIGNATURE-
Re: SPAM is not a big deal if you are getting only SPAM
I've been watching this thread on the sideline, and it seems to me, that the problem is that your box accepts to receive mail to adresses that doesn't exist on your server, and thus floods your postmaster (you) am i right? If this is so, then all you really have to do is this: remove .qmail-default make .qmail-postmaster inot a script that looks up if the reciving adress is valid, othervise send it to /dev/null /Martin Petr Novotny wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Oct 2000, at 19:45, OK 2 NET - André Paulsberg wrote: Block them with ORBS ;D You don't get it. I got most of the bounces from yahoo.com, msn.com, aol.com, excite.com etc. Those machines are *not* open relays; they tried to deliver mail for local users, and then bounced the undeliverable messages back (to me, sadly). -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBOdwqkFMwP8g7qbw/EQLidACfXlnYmuToE5vv9PxLzfQM1WyCExoAn0Ry tW2zC4mzBWY/zp9JJqHpX1V6 =dx83 -END PGP SIGNATURE-
Re: SPAM is not a big deal if you are getting only SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5 Oct 2000, at 10:27, Martin Jespersen wrote: I've been watching this thread on the sideline, and it seems to me, that the problem is that your box accepts to receive mail to adresses that doesn't exist on your server, and thus floods your postmaster (you) am i right? The storm is (fortunately) over. I have solved the load on the box by changing my .qmail-default to |fastforward -d /etc/aliases.cdb; exit 0 It kept the load down, and kept my inbox (almost) clean. But still the trafic was killing the line. (And, for the record, refusing the data after seeing RCPT TO, before accepting DATA, with alikes of "badrcptto" patch, might cut the bandwidth down by perhaps 30 or 50%, but would not solve the problem.) [What really hurts is that we're paying each transmitted megabyte. Fortunately, the ISP agreed to waive about 40% of the usual price for these extra megabytes. You know, the ISP has been hit by the same spammer, faking also their domain as a return address...] -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBOdwxiFMwP8g7qbw/EQK+LQCdH3BkBtimwuwoChnlBYdlXE0KHIUAoMLB wMvw/ov7sKHNbAOeHBw3LOuG =gqm4 -END PGP SIGNATURE- -- Petr Novotny, ANTEK CS [EMAIL PROTECTED] http://www.antek.cz PGP key ID: 0x3BA9BC3F -- Don't you know there ain't no devil there's just God when he's drunk. [Tom Waits]
Re: SPAM is not a big deal if you are getting only SPAM
SPAM is not a big deal if you are getting only SPAM. It is much worse when you are getting thousands and thousands of failure messages. This is exactly what happened to me: some smart guy has a huge list of emails addresses which are intended to be his spam victims. Tousands of them are not working any more, because the list is out-dated, but the error messages have to end somewhere, don't they? Ok, we pick up some existing domain.com and then we wiil randomly generate [EMAIL PROTECTED] So, all this mess ends up in the postmasters mail. Apart from these, you find there also tons of threats that people will suit me for spamming. Are your server being used as a Relay for these messages, or are the SPAMMERS simply using your domain to forge their envelope sender. My question is: 1) is there a way out? Yes, it's however mighty complexed and for most people unacceptable. You have to "compromize" your security so that your service to your users are balancing right where you and your users are happy, secondly you have to "compromize" security to insure that your work day is less than 24 hours everyday while still making your server maximum safe. 2) can qmail reject email based on "Received: " envelope? I want it not to bounce a message back, if there is the bad.host.com listed in the Received line. You can only purge them automaticly, I'm not sure that's to smart. The best is to reject based on envelope sender or recipient, that way you can tell the "offening" server that you rejected the message. (This is done throug the files control/badmailfrom and control/badrcptto.) BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. MVH André Paulsberg
Re: SPAM is not a big deal if you are getting only SPAM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Oct 2000, at 16:04, OK 2 NET - Andr Paulsberg wrote: Are your server being used as a Relay for these messages, or are the SPAMMERS simply using your domain to forge their envelope sender. The latter. (It happened to quite a few domains in .cz, lately. I have been busy accepting, refusing and deleting a gigabyte of bounces/double-bounces over our pathetic 64kbit line for most of the previous week.) 2) can qmail reject email based on "Received: " envelope? I want it not to bounce a message back, if there is the bad.host.com listed in the Received line. You can only purge them automaticly, I'm not sure that's to smart. The best is to reject based on envelope sender or recipient, that way you can tell the "offening" server that you rejected the message. (This is done throug the files control/badmailfrom and control/badrcptto.) badmailfrom doesn't help as all the incoming messages are bounces, MAIL FROM: badrcptto might help, together with some heurestics. (There were way-too-many forms of [EMAIL PROTECTED]) goodrcptto might help better :-) I just changed my ~alias/.qmail-default to |fastforward -d /etc/aliases.cdb; exit 0 to keep my mailbox clean (and my old harddisk from suffering, queue from growing, and the load never was more than 4.55 :-) - most of the load coming (probably) from SYN cookies). BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. I have stored about five thousand of them. The basic pattern is simple: Some faked Received line, then someone at saturn.bbn.com (a DSL? dial-up?), then some open relay in .cn, .jp or .kr domains (I have seen quite a few of them) and then the recipient, bouncing the message back. I can post one of the messages, but which one? Don't want to be unfair to the remaining open relays :-) A few people suggested to sue the spammer for misusing antek.cz's name. Can anyone suggest how? I am not US-based and our company is not US-based. Is it a crime to fake the return address (meaning I can mail my evidence to the authorities) or am I on my own to sue the spammer? If the latter, I can see no chance of that happening... -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 -- QDPGP 2.61a Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBOdst0VMwP8g7qbw/EQJQ3QCg6WYhempP1c4tAVJ5XLeurfYb0AAAoO9K C26AB4w1TOY53sA5VceAeO78 =G/YD -END PGP SIGNATURE-
Re: SPAM is not a big deal if you are getting only SPAM
2) can qmail reject email based on "Received: " envelope? I want it not to bounce a message back, if there is the bad.host.com listed in the Received line. You can only purge them automaticly, I'm not sure that's to smart. The best is to reject based on envelope sender or recipient, that way you can tell the "offening" server that you rejected the message. (This is done throug the files control/badmailfrom and control/badrcptto.) badmailfrom doesn't help as all the incoming messages are bounces, MAIL FROM: badrcptto might help, together with some heurestics. (There were way-too-many forms of [EMAIL PROTECTED]) goodrcptto might help better :-) Badrcptto does not look at the 'Received:' lines, does it? A good solution might be to patch qmail so that it will not bounce a message back if it sees a suspicious 'Received:' line in the header. What is the best way to do this? I just changed my ~alias/.qmail-default to |fastforward -d /etc/aliases.cdb; exit 0 to keep my mailbox clean (and my old harddisk from suffering, queue from growing, and the load never was more than 4.55 :-) - most of the load coming (probably) from SYN cookies). This is simple and efficient. Thanks! BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. I have stored about five thousand of them. The basic pattern is simple: Some faked Received line, then someone at saturn.bbn.com (a DSL? dial-up?), then some open relay in .cn, .jp or .kr domains (I have seen quite a few of them) and then the recipient, bouncing the message back. I can post one of the messages, but which one? Don't want to be unfair to the remaining open relays :-) Yes, this is the same guy. All emails' source looks like PPPa14-ResaleKansasCity1-4R7102.saturn.bbn.com A few people suggested to sue the spammer for misusing antek.cz's name. Can anyone suggest how? I am not US-based and our company is not US-based. Is it a crime to fake the return address (meaning I can mail my evidence to the authorities) or am I on my own to sue the spammer? If the latter, I can see no chance of that happening... Usually you would contact people responsible for the domain saturn.bbn.com. No responses so far. Petr
Re: SPAM is not a big deal if you are getting only SPAM
You can only purge them automaticly, I'm not sure that's to smart. The best is to reject based on envelope sender or recipient, that way you can tell the "offening" server that you rejected the message. (This is done throug the files control/badmailfrom and control/badrcptto.) badrcptto might help, together with some heurestics. (There were way-too-many forms of [EMAIL PROTECTED]) goodrcptto might help better :-) For now I recommend putting all known forged addresses in badrcptto, this is the only "easy" way to avoid any high volum traffic over a 64kbps line. BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. I have stored about five thousand of them. The basic pattern is simple: Some faked Received line, then someone at saturn.bbn.com (a DSL? dial-up?), then some open relay in .cn, .jp or .kr domains (I have seen quite a few of them) and then the recipient, bouncing the message back. I can post one of the messages, but which one? Don't want to be unfair to the remaining open relays :-) Block them with ORBS ;D A few people suggested to sue the spammer for misusing antek.cz's name. Can anyone suggest how? Not me, but I'm sure you can get a lawyer to help you with this. MVH André Paulsberg
Re: SPAM is not a big deal if you are getting only SPAM
On Wed, 04 Oct 2000 16:16:49 -, Petr Danecek wrote: Badrcptto does not look at the 'Received:' lines, does it? A good solution might be to patch qmail so that it will not bounce a message back if it sees a suspicious 'Received:' line in the header. What is the best way to do this? I don't believe badrcptto is a valid control file (at least not for qmail). Is it part of a patch? Is it an undocumented *feature*? :-) So, unless it is part of something you have crafted or an add-on to qmail then it is probably not being used at all... Andy
Re: SPAM is not a big deal if you are getting only SPAM
Hi, At 16:16 4.10.2000 +, Petr Danecek wrote: 2) can qmail reject email based on "Received: " envelope? I want it not to bounce a message back, if there is the bad.host.com listed in the Received line. You can only purge them automaticly, I'm not sure that's to smart. The best is to reject based on envelope sender or recipient, that way you can tell the "offening" server that you rejected the message. (This is done throug the files control/badmailfrom and control/badrcptto.) badmailfrom doesn't help as all the incoming messages are bounces, MAIL FROM: badrcptto might help, together with some heurestics. (There were way-too-many forms of [EMAIL PROTECTED]) goodrcptto might help better :-) Badrcptto does not look at the 'Received:' lines, does it? A good solution might be to patch qmail so that it will not bounce a message back if it sees a suspicious 'Received:' line in the header. What is the best way to do this? I just changed my ~alias/.qmail-default to |fastforward -d /etc/aliases.cdb; exit 0 to keep my mailbox clean (and my old harddisk from suffering, queue from growing, and the load never was more than 4.55 :-) - most of the load coming (probably) from SYN cookies). This is simple and efficient. Thanks! BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. I have stored about five thousand of them. The basic pattern is simple: Some faked Received line, then someone at saturn.bbn.com (a DSL? dial-up?), then some open relay in .cn, .jp or .kr domains (I have seen quite a few of them) and then the recipient, bouncing the message back. I can post one of the messages, but which one? Don't want to be unfair to the remaining open relays :-) Yes, this is the same guy. All emails' source looks like PPPa14-ResaleKansasCity1-4R7102.saturn.bbn.com If this address is in the "MAIL From:" you can give my SPAMCONTROL patch a trial. Here, you are free to do as pattern match on the sender. A few people suggested to sue the spammer for misusing antek.cz's name. Can anyone suggest how? I am not US-based and our company is not US-based. Is it a crime to fake the return address (meaning I can mail my evidence to the authorities) or am I on my own to sue the spammer? If the latter, I can see no chance of that happening... Usually you would contact people responsible for the domain saturn.bbn.com. No responses so far. The patch includes a DNS MX lookup. Maybe that helps. http:/www.fehcom.de/qmail_en.html cheers. eh. Petr +---+ | fffhh http://www.fehcom.deDr. Erwin Hoffmann | | ff hh| | ffeee ccc ooomm mm mm Wiener Weg 8 | | fff ee ee hh hh cc oo oo mmm mm mm 50858 Koeln| | ff ee eee hh hh cc oo oo mm mm mm| | ff eee hh hh cc oo oo mm mm mm Tel 0221 484 4923 | | ff hh hhccc ooomm mm mm Fax 0221 484 4924 | +---+
Re: SPAM is not a big deal if you are getting only SPAM
On Wed, Oct 04, 2000 at 04:17:05PM +0200, Petr Novotny wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Oct 2000, at 16:04, OK 2 NET - André Paulsberg wrote: Are your server being used as a Relay for these messages, or are the SPAMMERS simply using your domain to forge their envelope sender. BTW: would it be possible to see one COMPLETE bounce message you are having trouble with. I have stored about five thousand of them. The basic pattern is simple: Some faked Received line, then someone at saturn.bbn.com (a DSL? dial-up?), then some open relay in .cn, .jp or .kr domains (I have seen quite a few of them) and then the recipient, bouncing the message back. I can post one of the messages, but which one? Don't want to be unfair to the remaining open relays :-) std.disclaimer Anything in .saturn.bbn.com is a dialup port sold to a virtual ISP, that is, a company which may or may not own any modems of their own, but buy access to Genuity's (formerly BBN's) dialup pool. We don't have any particular control over them, but every single user is a client of one of our clients, and our contracts have strong anti-spam terminology. Problems should be sent first to the client ISP, if available from headers, and if not, to [EMAIL PROTECTED] -dsr-